Does Data Localization Work for India's Data Security and Digital Economy?
Sun, 30 Sep 2018 || By Anggika Rahmadiani

The digital economy has been largely depending on the digital data flow. Nation-states and business have been utilizing technology such as cloud computing that connects individuals and entities across the world. Through cloud computing, data flows freely from one place to another without significant restriction from any states. However, this phenomenon of a free flow of data has brought data security as a salient issue for nation-states. After the latest Cambridge Analytica data breaching, the European Union (EU) has responded by enacting the General Data Protection Regulation (GDPR). [1] Besides EU, India also shows a higher concern for data security and is about to draw a fine line on their data security by formulating their data protection law.[2]


India’s Data Sovereignty: Data Classification and Localization

India, which had nearly 500 million internet users and second largest e-commerce market in the world[3], perceived as taking a backward step in their industry and technology development in order to gain back their authority over citizens’ data ownership – data sovereignty. In early August 2018, India Supreme Court under Srikrishna Committee, submitted a Personal Data Protection Bill 2018 as a recommendation on data privacy management including the restriction of cross-border data flow, to the Ministry of Electronics and Information Technology[4]

india's data security

This bill proposed that the vast amount of Indian citizens data should be classified as critical information infrastructure[5]. The bill also classified two types of data (1) Personal Data and (2) Sensitive Personal Data. It only allowed Personal Data being transferred in the cross-border server under certain circumstances controlled by the government[6], and strictly prohibit the transfer of any Sensitive Personal Data (which includes passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe and religious or political belief or affiliation). [7] Besides the sensitive personal data’s transfer prohibition policy, the Government of India also demanded the cloud service providers, specifically the foreign companies, to open their own local data center in India.[8] This data localization proposal has bring a great controversy among relevant business and industries’ stakeholders in India.


Data Localization as a constraint for the future of India’s Economy

Using cloud computing in cross border-transfer of data already become a common practice amongst companies and startup in India[9]. The companies use third-party cloud service provider –which mostly comes from global players in tech industry namely Microsoft, Google, and Amazon– and store their data abroad instead of having their own physical data center inside the country. The Government of India comes up with the argument that data localization will do best to protect their domestic industry. Unluckily, this protectionist policy seems to be counterproductive. It may go against its economic interest. There are two main reasons for this argument:

First, India’s start-ups and companies will have a limitation in choosing the cloud service providers. The exclusive access to data inside the country will not coherently affect India’s companies' growth. As a substitute of the big-tech companies’ absence, India’s Government cloud service strategy, Meghraj[10] will take the gain as the main player in the cloud service market. However, many companies may see Meghraj as being inexperienced and less trustworthy than the previous foreign big companies as this body is entirely a new institution that has no experience dealing with consumers’ data before.

india's data security

Second, from the cloud service provider’s competition will bring a trickledown effect towards the state’s GDP. A study conducted by The European Centre for International Political Economy predicted that if the government were to apply this bill, it would result in the reduction of India’s GDP on -0,1% and even higher when it applies in all sector, which can reach -0,8% [11] It will only limit the competition in the industry of cloud service provider's company[12] unless the foreign cloud service providers’ companies are willing to adjust their move by building their new local data centers in India, which will raise the cost of their planned investment[13] The giant tech companies, under the US-India Strategic Partnership Forum and US-India Business Council, intensively try to negotiate with India’s Government regarding the Personal Data Protection Bill.[14] Nonetheless, Alibaba already came as a starter to enter the data localization market in India, agreeing to have their data center inside the national territory of India[15], which left other giant tech companies under pressure.


India Data Localization: Security versus Economic Interest?

Drawing the argument above, it is seen that data localization policy will not guarantee a greater India's data security. Instead of coming up with a more robust security system, India makes the data localization as an excuse for digital protectionism which can lead to a further negative impact on the emerging industry and global trade. Changing the nationalist orientated policy into a more evident-based cyber-security policy and more neutral data protection law would be beneficial for both the national data security

Editor: Treviliana Eka Putri

Read another article written by Anggika Rahmadiani or article about big data.

[1] Kalra, A. (2018). Exclusive: India panel wants localisation of cloud storage data in possible blow to big tech firm, [Online] Available at: Accessed at 12 September 2018

[2] Rodl & Partner. (2018). India Data Privacy Laws and EU GDPR, [Online] Available at: [Accessed 12 September 2018]

[3] Balaji, S. (2018). India Finally Has A Data Privacy Framework -- What Does It Mean For Its Billion-Dollar Tech Industry? [Online] Available at: [Accessed 13 September 2018]

[4] Ibid.

[5] Telecom Regulatory Authority of India. (2017). Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, [Online] Available at: [Accessed 13 September 2018]

[6] PRS Legislative Research. (2018). Draft Personal Data Protection Bill 2018, [Online] Available at: [Accessed 15 September 2018]

[7] PRS Legislative Research. (2018). The Personal Data Protection Bill 2018, [Online] Available at:,%202018.pdf, p. 23-24 [Accessed 15 September 2018]  

[8] Ibid

[9] DSCI. (2017). NASSCOM-DSCI Inputs on TRAI Cloud Computing Consultation Paper, [Online] Available at: p. 3. [Accessed 12 September 2018]

[10]IndraStra. (2018).Meghraj – India’s Cloud Initiative, [Online] Available at: [Accessed 15 September 2018 ]

[11] Meltzer, J. P. and Lovelock, P. (2018). Regulating for a Digital Economy: Understanding The Importance of Cross-Border Data Flows in Asia, [online] Available at:  Brooking Institute Global Economy and Development Working Paper 113, March 2018. [Accessed 12 September 2018]

[12] Sharma, M. (2018).How data localisation limits possibilities for Indi’s startups, consumers. [Online] Available at: [Accessed 15 September 2018]

[13] Sputnik International. (2018). American Tech Giants Wary of India’s Data Localization Move – Report, [Online] Available at: [Accessed 13 September 2018]

[14] Agarwal, S. (2018).Big tech is in a knot over data localisation norms, [Online] Available at: [Accessed 12 September 2018]

[15] The Hindu. (2017). Alibaba Cloud to open data centres in India, Indonesia, [Online] Available at: [Accessed 14 September 2018]